Mercurial > hg > orthanc-authorization
comparison Plugin/DefaultAuthorizationParser.cpp @ 77:94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
author | Alain Mazy <am@osimis.io> |
---|---|
date | Wed, 15 Mar 2023 16:36:42 +0100 |
parents | 1a13c4fbc9a1 |
children | 0ffad746a16b |
comparison
equal
deleted
inserted
replaced
76:d301047ee3c4 | 77:94a9484d7f8f |
---|---|
48 | 48 |
49 dicomWebInstances_ = boost::regex( | 49 dicomWebInstances_ = boost::regex( |
50 "^" + tmp + "/studies/([.0-9]+)/series/([.0-9]+)/instances/([.0-9]+)(|/|/frames/.*)$"); | 50 "^" + tmp + "/studies/([.0-9]+)/series/([.0-9]+)/instances/([.0-9]+)(|/|/frames/.*)$"); |
51 | 51 |
52 dicomWebQidoRsFind_ = boost::regex( | 52 dicomWebQidoRsFind_ = boost::regex( |
53 "^" + tmp + "/(studies|series|instances)\?(.*)$"); | 53 "^" + tmp + "/(studies|series|instances)$"); |
54 } | 54 } |
55 | 55 |
56 | 56 |
57 bool DefaultAuthorizationParser::Parse(AccessedResources& target, | 57 bool DefaultAuthorizationParser::Parse(AccessedResources& target, |
58 const std::string& uri, | 58 const std::string& uri, |
132 AddOrthancInstance(target, what[2]); | 132 AddOrthancInstance(target, what[2]); |
133 return true; | 133 return true; |
134 } | 134 } |
135 else if (boost::regex_match(uri, what, dicomWebQidoRsFind_)) | 135 else if (boost::regex_match(uri, what, dicomWebQidoRsFind_)) |
136 { | 136 { |
137 std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid; | 137 std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid, patientId; |
138 | 138 |
139 studyInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000D", ""); | 139 studyInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000D", ""); |
140 seriesInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000E", ""); | 140 seriesInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000E", ""); |
141 sopInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "00080018", ""); | 141 sopInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "00080018", ""); |
142 patientId = Orthanc::HttpToolbox::GetArgument(getArguments, "00100010", ""); | |
142 | 143 |
143 if (!sopInstanceUid.empty() && !seriesInstanceUid.empty() && !studyInstanceUid.empty()) | 144 if (!sopInstanceUid.empty() && !seriesInstanceUid.empty() && !studyInstanceUid.empty()) |
144 { | 145 { |
145 AddDicomInstance(target, studyInstanceUid, seriesInstanceUid, sopInstanceUid); | 146 AddDicomInstance(target, studyInstanceUid, seriesInstanceUid, sopInstanceUid); |
147 return true; | |
146 } | 148 } |
147 else if (!seriesInstanceUid.empty() && !studyInstanceUid.empty()) | 149 else if (!seriesInstanceUid.empty() && !studyInstanceUid.empty()) |
148 { | 150 { |
149 AddDicomSeries(target, studyInstanceUid, seriesInstanceUid); | 151 AddDicomSeries(target, studyInstanceUid, seriesInstanceUid); |
152 return true; | |
150 } | 153 } |
151 else if (!studyInstanceUid.empty()) | 154 else if (!studyInstanceUid.empty()) |
152 { | 155 { |
153 AddDicomStudy(target, studyInstanceUid); | 156 AddDicomStudy(target, studyInstanceUid); |
157 return true; | |
154 } | 158 } |
155 return true; | 159 else if (!patientId.empty()) |
160 { | |
161 AddDicomPatient(target, patientId); | |
162 return true; | |
163 } | |
156 } | 164 } |
157 else | 165 |
166 // Unknown type of resource: Consider it as a system access | |
167 | |
168 // Remove the trailing slashes if need be | |
169 std::string s = uri; | |
170 while (!s.empty() && | |
171 s[s.length() - 1] == '/') | |
158 { | 172 { |
159 // Unknown type of resource: Consider it as a system access | 173 s = s.substr(0, s.length() - 1); |
160 | 174 } |
161 // Remove the trailing slashes if need be | 175 |
162 std::string s = uri; | 176 target.push_back(AccessedResource(AccessLevel_System, s, "")); |
163 while (!s.empty() && | 177 return true; |
164 s[s.length() - 1] == '/') | |
165 { | |
166 s = s.substr(0, s.length() - 1); | |
167 } | |
168 | |
169 target.push_back(AccessedResource(AccessLevel_System, s, "")); | |
170 return true; | |
171 } | |
172 } | 178 } |
173 } | 179 } |